Implementation of Elliptic Curve25519 in Cryptography

Bernstein ’ s design implementation of elliptic Curve25519 in key exchange is claimed to be highly secure and efficient. This curve is, for example, used in the key exchange scheme of TextSecure for Instant Messaging. In this paper, we present an implementation of elliptic Curve25519 in the simplified Elliptic Curve Integrated Encryption Scheme, thus showing that elliptic Curve25519 can also serve other purposes than key exchange. The curve is in Montgomery form, which makes it possible to use Montgomery ladder. Point compression, point decompression, encryption, and decryption algorithms are presented for the simplified Elliptic Curve Integrated Encryption Scheme.


Introduction
Curve25519 is an elliptic curve in Montgomery form with base field F p and p = 2 255 -19. In [1], Bernstein explains its design implementation, which is claimed to be highly secure and efficient. It is, for example, used in the key exchange scheme of TextSecure for Instant Messaging [2]. The advantage of using this curve is that for some point operations, we can use only the x-coordinate, which simplifies the computations and also saves storage.
In previous papers we have presented implementations of elliptic curves in Weierstrass form in a binary field: the implementation of a binary field arithmetic operation algorithm [3,4] and the implementation of the simplified Elliptic Curve Integrated Encryption Scheme (S-ECIES) in a binary field [5]. In the current paper, we present the implementation of Curve25519 in S-ECIES, thus showing that Curve25519 can also serve other purposes than key exchange.

Elliptic curve Montgomery form
Before defining Curve25519, we will give some basic theory on elliptic curves. This paper is only concerned with elliptic curves in Montgomery form, not Weierstrass form. An elliptic curve over F p in Montgomery form is defined by the equation.
On the points of the elliptic curve, we may define point addition, negation, and doubling. We define point negation as follows: let E be an elliptic curve over F p and point P(x,y) be a point on E. We define point negation of P as -P(x, Ày). Let P(x 1 ,y 1 ) and Q(x 2 ,y 2 ) be two distinct points on E. Then the point addition is P+Q (x 3 ,y 3 ), where and λ ¼ 3x The points on the elliptic curve along with point at infinity O form a commutative group with point addition as its operation.
We define scalar point multiplication as follows: given a positive integer m, scalar point mP is defined by mP = P+P+...+P (m times addition of P).
The advantage of using Montgomery form rather than Weierstrass form is that in Montgomery form, it is possible to operate without y-coordinates.
Elliptic curve operation in Montgomery form without y-coordinates can be done as follows [6]: let (X:Y:Z) be the projective representation of point P(x,y) in E, define nP = (X n :Y n :Z n ), and write (x,y) as (X/Z,Y/Z). It is clear that (m+n)P = mP +nP. If P m (x 1 ,y 1 ) = mP and P n (x 2 ,y 2 ) = nP, x 1 = X m /Z m and x 2 = X n /Z n , then point addition is P m +P n (x 3 ,y 3 ) = (m+n)P, where x 3 = X m+n /Z m+n and Point doubling is 2P n (x 4 ,y 4 ) = 2nP = P 2n , where x 4 = X 2n /Z 2n and Based on the work by Okeya and Sakurai reported in [7], we can recover the ycoordinate in projective coordinates. Let P(x,y), P 1 (x 1 ,y 1 ), P 2 (x 2 ,y 2 ) be points on a Montgomery-form elliptic curve. Express P 1 = (X 1 /Z 1 ,Y 1 /Z 1 ), P 2 = (X 2 /Z 2 , Y 2 /Z 2 ), and define X 1 rec , X 2 rec , X 3 rec as follows: Assuming P 2 = P 1 +P, then in projective coordinates the relation X 1 rec : Y 1 rec : Z 1 rec ð Þ ¼X 1 : Y 1 : Z 1 ð Þholds.

Curve25519 and simplified ECIES
Curve25519 is the elliptic curve of Montgomery form S-ECIES is based on the elliptic curve discrete logarithm problem described as follows [8]: let p be a prime number larger than 3. Let E be an elliptic curve over F p such that E contains a cyclic subgroup H, generated by P, of prime order m. The plaintext space is F p * and the ciphertext space is (F p Â F 2 ) Â F p *. The key space is L = {(E, P, Q , n, m): Q = nP}. Curve E and points P, Q, and m become public keys, and n becomes the private key.
For every a ∈ F p * and a secret number k ∈ [1, n À 1], the encryption function is where a 0 6 ¼ 0 is the absis of kQ.
where (x 0 , y 0 ) is the coordinate of Point-Decompress(V). We know that the groups } are finite with group size at 8 Â p 1 and 4 Â p 2 , respectively, for some primes p 1 and p 2 . Hence, E contains a subgroup with prime order; therefore, Curve25519 can be implemented in ECIES.

Implementation
In this section, we will give several algorithms in Curve25519 for implementation in S-ECIES, i.e., Montgomery ladder, point compression, point decompression, and others.
An advantage of using an elliptic curve in Montgomery form is that Montgomery ladder can be used for scalar point multiplication.
Algorithm 1 Montgomery Ladder. INPUT: scalar n, point P OUTPUT: nP 10. end if 11.end for 12. return(R 0 ) Now, we can talk about point compression and point decompression in Curve25519. The algorithm for point compression is straightforward from the existence of two points with the same x-coordinate on an elliptic curve, but with a different y-coordinate, i.e., point (x,y) and point (x,-y), which is equal to point (x,p-y). Because p is odd prime, if y is an odd number, then p-y is an even number and vice versa. Hence, we can compress point (x,y) by (x, y mod 2), of which the possible result is (x,0) or (x,1).
Remember that in Curve25519 the y-coordinate is defined when y is not a quadratic residue or (x,y√2). By the same argument, if (x,y√2) is on E, then (x-(p-y) √2) is also on E. However, before we can compress a point with form (x,y√2), we have to divide the y-coordinate with √2 to avoid problems in real computation. Then, the possible result when we compress the point with form (x,y√2) is also (x,0) or (x, 1). The next algorithms are used to recover the y-coordinate in elliptic curve Montgomery form, because we need it in ECIES. Now we can give the algorithms for encryption and decryption. For a point generator P in Curve25519 that has a prime order n, if Alice sends message x to Bob with private key m so Q = mP, then Alice encrypts the message with the following algorithm:

return b
Since this elliptic curve contains a cyclic subgroup of prime order, it is possible to apply S-ECIES. For example, fix base point P(X:Y:Z) with X = 9, Z = 1 (because in Curve25519, z 1 always has a value of 1), and the y-coordinate can be chosen randomly between odd and even integers that satisfy y 2 = x 3 + 486662x 2 + x. The chosen base point P has prime point order, with point order m = 2 252 + 2774231 777737235353585 937790883648493. Hence, the curve can be implemented in S-ECIES.
Then, we choose a random integer, k, between 1 and m-1. Then, scalar multiplication of k with point x = 9 by using the Montgomery ladder algorithm produces kP(X k ::Z k ), and by using a y-coordinate recovery algorithm we can get kP(X k :Y k :Z k ). After that, we convert the projective coordinates to affine coordinates to get kP (X k /Z k ,Y k /Z k ), and we use Point-Compress(kP). Then the y-coordinate of ciphertext is the multiplication of plaintext x with x 3 , where we get x 3 from kQ = (x 3 ,y 3 ). Since we only use the x-coordinate of kQ, we can use Montgomery ladder with scalar k and point Q = nP.
For decryption, we first decompress V(x 1 ,y 1 ) and then use private key n to get scalar multiplication nV, using only the Montgomery ladder algorithm. The last step is multiplying the y-coordinate of ciphertext with the inverse of the x-coordinate of nV to get the plaintext x. This inverse exists, because we are working in a prime field and the x-coordinate of V is not zero. Now, we discuss arithmetic in F p with p = 2 255 -19. There are two operations in F p , addition and multiplication. However, in F p with p = 2 255 -19, it is not that easy. Bernstein [1] used radix 2 25.5 , which is a polynomial with form P α i x i with i is a number between 0 and 9 and α i is a multiple of 2 [25.5i] (where [x] is the smallest integer that is larger than x) and α i /2 [25.5i] is an integer between À2 25 and 2 25 . With the restriction that if i is an odd number then α i /2 [25.5i] is between À2 24 and 2 24 , while if i is an even number then α i /2 [25.5i] is between À2 25 and 2 25 , therefore, every element in F p with p = 2 255 -19 can be converted in radix polynomial form. The following algorithm converts integers to radix as follows: From the above algorithm, first convert the integer to binary representation, and then from the right partition every 26,25,26,25,...,k, with 0 ≤ k ≤ 25, as an example of an integer with length of binary representation is 231, then partition from the right 26,25,26,25,26,25,26,25,26,1. Every partition states the value sum of d(i)2 iÀ1 , with d(i) is the value of the order of the binary representation that is either 0 or 1. Also, the j-th partition is the coefficient of x jÀ1 .
addition and multiplication in radix 2 25.5 . After we have converted any integer, there is an additional problem when the coefficient of radix 2 25.5 exceeds our definition. For this problem, Bernstein [1] has already provided a solution.

Applications
Communication systems in the future are expected to interact between diverse types of devices. This allows the user to construct a personal distributed environment using a combination of different communication technologies. The security of transmitted data between these devices is a very important aspect.
Nowadays instant messaging is popular for personal and business communications instead of short messages (SMS) on mobile devices. However, most mobile messaging applications do not protect confidentiality or message integrity. Supervision over private communications conducted by the NSA motivates many people to use alternative messaging solutions for security and privacy of communication on the Internet. A messaging app that claims to be secure instant messaging and has attracted a lot of attention is TextSecure.
Elliptic curve cryptosystem (ECC) is a public-key cryptography suitable for use in environments with limited resources such as mobile devices and smart cards. In cryptography, Curve25519 is an elliptic curve that offers 128 security bits and is designed for use in the Elliptic Curve Diffie-Hellman (ECDH) key agreement key design scheme. This curve is one of the fastest ECC curves and more resistant to the weak number random generator.
In the TextSecure application, Curve25519 is used for key exchanges and authentication. However, in this paper we show that Curve25519 can also be implemented in simplified Elliptic Curve Integrated Encryption Scheme (S-ECIES). Therefore Curve25519 serves for key exchange, authentication, encryption, and decryption. As Curve25519 is built in such a way as to avoid potential attacks on implementation and avoid side channel attacks and random number generator issues, one may expect more secure communication systems.

Conclusion
The curve being used in this paper is y 2 = x 3 + 48666x 2 + x, a Montgomery curve, over the prime field 2 255 -19. This protocol uses elliptic point compression (only the X-abscissa), allowing for efficient use of Montgomery ladder for ECDH, which uses only XZ coordinates.
In this research we develop efficient algorithms for elliptic curve cryptography using Curve25519 which is implemented in security of instant messaging.
Several algorithms have been established for the implementation of Curve25519 in simplified ECIES: Montgomery ladder for scalar point multiplication, point compression and point decompression, encryption and decryption in simplified ECIES, and the algorithm integer to radix for the arithmetic in F p with p = 2 255 -19.
In a future research, implementation of Curve25519 in Elliptic Curve Digital Signature Algorithm may be attempted.